To the latter point, firewalls or routers may drop packets (or reconfigure routing) where an IPS or other inline system could rewrite packet contents to remove attack patterns. It's much cheaper to drop the suspicious traffic once identified than try to clean it so that approach is far more common. The same thing happens at the webserver/WAF layer, which can block "bad" requests.
– adricJan 15 '14 at 14:32

2 Answers
2

When it comes to network DoS, generally attackers will send small packets that elicit a large packet response from the victim. Smaller attacking packets are favoured to large attacking packets as a greater amount of them can be sent out between a given time-frame. An example of this is the NTP (Network Time Protocol) DoS attack that's been gaining popularity recently.

An article was written up over at ArsTechnica that describes the attack fairly well and in layman's terms. "A command of just 234 bytes is enough to cause some NTP servers to return a list of up to 600 machines that have previously used its time-syncing service". "The NTP servers, which may be located in dozens or even hundreds of locations all over the world, in turn send the targets responses that could be tens or hundreds of times bigger than the spoofed request."

These attacks work by causing the target system to consume enough resources to make it unresponsive to legitimate traffic.

A similar method can be seen in SYN flood attacks. The attacker sends out SYN (synchronise) request packets to the target system with a spoofed source IP address. When the target system tries to respond to these SYN requests with SYN-ACK (synchronise-acknowledge) packets, it receives no ACK packet in return, since the system that belongs to the falsified IP address knows that it did not send out a SYN request. These half-open connections consume resources on the target system until it is not able to respond to legitimate requests.

A SYN flood can be mitigated in multiple ways, including imposing a limit on the number of SYN requests that are permitted to pass through a firewall on a per-second basis. Another way to mitigate a SYN flood is by decreasing the timeout value for SYN-ACK packets.

Routers route packets, regardless of their size, therefore it's more interesting to use small packets. Small packets can saturate your link a lot faster than large packets. In practice routers can't route at a certain speed expressed in Mbit, those speeds are calculated based on the average packetsize multiplied by the amount of packets the router can route.